How to connect RHEL 6.7 to 2012 AD and login with AD Accounts??
I need to be able to login to RHEL 6.7 servers using Active Directory accounts from a Windows 2012 Domain.
I've seen some information on the web, but nothing has worked for me so far.
Has anyone accomplished this?
Would appreciate it if someone could share what worked for them or point me to some info that they used.
Thanks!
Responses
Hello, the Red Hat Satellite User Guide has a section on using AD to authenticate users within the Configuring External Authentication chapter.
Stephen, the link you provided is for setting a Red Hat Satellite server. It seems Mark Smith has Red Hat Enterprise Linux systems (he didn't mention a satellite server) to log into a Windows 2012 Domain authenticating to AD.
Mark, a link to a paper on joining RHEL 6.7 servers to a windows domain is here https://access.redhat.com/articles/216933 (which leads to this pdf file at access.redhat.com).
This link is the RHEL 7.x Windows Integration guide (6.7 is in the preceding paragraph).
Hi Mark,
This works for me.
Create custom profile for AD users
vi /etc/profile.d/custom.sh Default prompt for AD Users# if [ "$PS1" ]; then PS1="[\u@\h \W]\$ "; fi
Edit the Pluggable Authentication Module for winbind to only allow access to the authorised groups, otherwise anyone with an AD account will be able to SSH onto this server.
Find the SID of the groups that only have access to this server
wbinfo –n grp-cc-redhat-superusers-globalSID_DOM_GROUP (2)
vi /etc/security/pam_winbind.confrequire_membership_of = SID, SID, SID
system-config-authenticationSelect Winbind enter your domain select security model domain specify an AD controller and under advance options select "create home dir on 1st login"
Now Join your domain using your AD admin creds.
service windbind restartNow users in the correct group should be able to ssh onto this server using the AD credentials
ssh –l CC\userid servernameWhich has it's own group-based access limitation methods.
In general, we use per-application/service methods to allow/disallow groups. We've generally found that doing so is both more human-friendly and more-easily accommodates delegating non-conflicting accesses (i.e, can lock people out of one service while easily allowing them access to others).
Obviously, "YMMV".
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
